Robinhood account introduction flaw abused to ship phishing emails

On-line buying and selling platform Robinhood’s account introduction procedure used to be exploited via danger actors to inject phishing messages into respectable emails, tricking customers into believing their accounts had suspicious job.

Beginning closing evening, Robinhood consumers started receiving “Your contemporary login to Robinhood” emails mentioning that an “Unrecognized Instrument Connected to Your Account” used to be detected, containing extraordinary IP addresses and partial telephone numbers.

“We detected a login strive from a tool that isn’t known,” reads the phishing e mail. “If this used to be now not you, please overview your account job right away to protected your account.”

Integrated within the e mail used to be a button titled “Assessment Job Now”, which resulted in a phishing website at robinhood[.]casevaultreview[.]com, which is now down. 

Then again, screenshots on Reddit point out that the website used to be most likely used to check out to scouse borrow Robinhood credentials.

What made the emails convincing is they got here from the respectable Robinhood e mail deal with noreply@robinhood.com and handed SPF and DKIM e mail safety exams.

Exploiting Robinhood account introduction onboarding flaw

Attackers abused Robinhood to generate phishing emails via exploiting a flaw within the corporate’s onboarding procedure that allowed them to inject arbitrary HTML into its account affirmation emails.

BleepingComputer showed that once a brand new Robinhood account is registered, the corporate routinely sends a “Your contemporary login to Robinhood” e mail to the related deal with, containing the registration time, IP deal with, tool knowledge, and approximate location.

To inject the phishing message, danger actors changed their tool metadata fields to incorporate embedded HTML, which Robinhood didn’t correctly sanitize.

This HTML used to be then injected into the Instrument: box of the account introduction e mail, inflicting it to render as a faux “Unrecognized Instrument Connected to Your Account” message.

To focus on Robinhood consumers, attackers most likely used lists of recognized buyer e mail addresses from earlier information breaches. In November 2021, Robinhood suffered an information breach impacting 7 million consumers, with the knowledge later introduced on the market on a hacking discussion board.

The attackers extensively utilized Gmail’s dot aliasing conduct, the place including sessions to an deal with does now not trade its vacation spot, permitting them to sign up accounts the use of permutations of actual e mail addresses whilst nonetheless handing over the messages to the supposed recipients.

Consequently, recipients won what gave the look to be a regular login alert, however with an embedded phishing phase caution of “unrecognized job” and urging them to study their account.

Robinhood showed the incident in a remark posted to X.

“On Sunday night time, some consumers won a falsified e mail from noreply@robinhood.com with the topic line ‘Your contemporary login to Robinhood.’,” posted RobinHood.

“This phishing strive used to be made imaginable via an abuse of the account introduction drift. It used to be now not a breach of our techniques or buyer accounts, and private knowledge and price range weren’t impacted.”

BleepingComputer has showed that Robinhood has fastened this flaw via taking out the Instrument: box that used to be up to now abused from their account introduction emails.

Robinhood advises customers who won the message to delete it and keep away from clicking any hyperlinks.